Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out another deserialization analysis of thinkphp6, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Forward

I have analyzed a chain of tp6 before; at that time, I used the _ _ toString method to carry out the transfer, thus realizing the link between the front and back chains, this time two other chains; using the fixed method under the controllable class to carry on the transfer; start the analysis

First of all, the environment can be set up with one click of composer, and then php think run can be run.

Text

The first idea is to use the destructor for the initial trigger; then track the magic function all the way to derive it step by step; first find the magic function under the AbstractCache class

Protected $autosave = true;public function _ _ destruct () {if (! $this- > autosave) {$this- > save ();}}

The code is as above; you can see that autosave can be controlled; here we can manually copy it to false; so that the save method can be triggered

Backtrack the save method; found the save method in CacheStore; the specific code is as follows

Public function save () {$contents = $this- > getForStorage (); $this- > store- > set ($this- > key, $contents, $this- > expire);}

You can see that it calls the getForStorage method and then assigns it to the $contents variable. Here, follow this method.

Public function getForStorage () {$cleaned = $this- > cleanContents ($this- > cache); return json_encode ([$cleaned, $this- > complete]);}

It is found that the cleanContents method is called first; then after the json_encode method is called, here we first backtrack the cleanContents method

Public function cleanContents (array $contents) {$cachedProperties = array_flip (['path',' dirname', 'basename',' extension', 'filename',' size', 'mimetype',' visibility', 'timestamp',' type', 'md5',]) Foreach ($contents as $path = > $object) {if (is_array ($object)) {$contents [$path] = array_intersect_key ($object, $cachedProperties);} return $contents;}

First of all, we see the array_flip method here; this method replaces the key name and key value of the array; then the array assigns the value to the $cachedProperties variable; then the parameters we pass in are traversed in the format of $path and $object; then the key name is judged by the is_array method, and the subsequent function processing is carried out if it is true; otherwise, the array return $content is directly processed. After this series of operations, return finally goes to the save function, and then goes on to do $this- > store- > set ($this- > key, $contents, $this- > expire). Here we find that store is also controllable; so there are two ways of thinking, the first is to de-instantiate a class with a set method, or we instantiate a class that has a _ _ call method; so that you can call the call magic method by accessing a method that doesn't exist. Here we first find a class with a set method; find it in the File class:

Public function set ($name, $value, $expire = null): bool {$this- > writeTimes++; if (is_null ($expire)) {$expire = $this- > options ['expire'];} $expire = $this- > getExpireTime ($expire); $filename = $this- > getCacheKey ($name); $dir = dirname ($filename); if (! is_dir ($dir)) {try {mkdir ($dir, 0755, true) } catch (\ Exception $e) {/ / creation failed}} $data = $this- > serialize ($value); if ($this- > options ['data_compress'] & & function_exists (' gzcompress')) {/ / data compression $data = gzcompress ($data, 3);} $data = "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.